RE: recursive DNS servers DDoS as a growing DDoS problem
> They don't need more servers, just better software. If you think open
> recursion (DNS DoS amplification) is an issue ISPs can ignore, I suggest
> you look at the history of open SMTP relays and networks
> supporting/allowing directed broadcast.
I'll address the "ignore" part.
I don't think closing recursive dns servers is going to make squat
difference for dns based flooding just like closing SMTP relays didn't make
squat difference for the spam problem. The spam continues to flow today..
Closing SMTP relays solved another problem, server capacity for the ISP, so
it was in their interest to close the relays because it ate up their
bandwidth and mail server capacity.
Has anyone being used for a dns flood noticed they were being used?
As to the issue of dns flooding, it doesn't require open recursive servers.
I can point the whole domain to someone's website without even having a DNS
server of my own simply by using www.domain.com and the target's IP address
as one of the authorative name servers listed with the registrar and target
someone that way. All I need to do then is generate queries for a bunch of
random.domain.com names, I don't even need to spoof, 20,000 bots talking to
their authorized recursive servers should work just fine. Heck for that
matter I don't even need bots, I could just spam the planet and use
bob@xxxxxxxxxxxxxxxxx as the return address. (that might even give the
amplification required)
What is closing an open recursive server going to do for the ISP hosting it?
I haven't heard anyone screaming that these floods were even noticable by
the folks running the recursive dns servers. Where is the motivation for the
ISP, ISP customer, corporation, university, etc. to do anything? Yeah, I
think they can ignore it until someone decides to target them.
Geo.